Menu
So I have a question regarding recursive groups in active directory. I have a little method that checks if a user id is in a group or not. Works great. Found out today that it doesn't check recursive group membership and I'm not too sure how (or if) there is a way to do that. Here's what I have so far for non-recursive:
public static bool CheckGroupMembership(string userID, string groupName, string Domain)
{
bool isMember = false;
PrincipalContext ADDomain = new PrincipalContext(ContextType.Domain, Domain);
UserPrincipal user = UserPrincipal.FindByIdentity(ADDomain, userID);
if (user.IsMemberOf(ADDomain, IdentityType.Name, groupName.Trim()))
{
isMember = true;
}
return isMember;
}
I've seen some things about a directory searcher or something but I'm somewhat new to working directly with AD and while I understand the concepts, some other things are still a little lost on me.
Thanks!
241
Right-click on the domain root and select Find; Enter a username and click Find Now; Open the user properties and go to the Member of tab; This tab lists the groups the selected user is a member of. You can also check Active Directory group membership through command-line. Run the command: net user USERNAME /domain.
The easiest and most clear way to get a list of user groups in AD is to use the graphical snap-in Active Directory Users & Computers (ADUC). This tab lists the groups the selected user is a member of. You can also check Active Directory group membership through the command-line.
How to get ALL AD user groups (recursively) with Powershell or other tools? You can use the LDAP_MATCHING_RULE_IN_CHAIN: You can use it anywahere that you can use an LDAP filter. Show activity on this post. If you make it a function you can call it recursively. Check this out, I think you'll be pleased with the results:
Getting Group Membership via ADUC. 1 Run the dsa.msc snap-in; 2 Right-click on the domain root and select Find; 3 Enter a username and click Find Now; 4 Open the user properties and go to the Member of tab; 5 This tab lists the groups the selected user is a member of.
You can also check by using the recursive option of GroupPrincipal.GetMembers.
public static bool CheckGroupMembership(string userID, string groupName, string Domain) {
bool isMember = false;
PrincipalContext ADDomain = new PrincipalContext(ContextType.Domain, Domain);
UserPrincipal user = UserPrincipal.FindByIdentity(ADDomain, userID);
GroupPrincipal group = GroupPrincipal.FindByIdentity(ADDomain, groupName);
if ((user != null) && (group != null)) {
isMember = group.GetMembers(true).Contains(user);
}
return isMember;
}
Here is a solution using System.DirectoryServices.AccountManagement Namespace. It's a kind of recursive solution. In Find Recursive Group Membership (Active Directory) using C#, I give a recursive solution that also works with distribution groups.
/* Retreiving a principal context
*/
Console.WriteLine("Retreiving a principal context");
PrincipalContext domainContext = new PrincipalContext(ContextType.Domain, "WM2008R2ENT:389", "dc=dom,dc=fr", "jpb", "PWD");
/* Look for all the groups a user belongs to
*/
UserPrincipal aUser = UserPrincipal.FindByIdentity(domainContext, "user1");
PrincipalSearchResult<Principal> a = aUser.GetAuthorizationGroups();
foreach (GroupPrincipal gTmp in a)
{
Console.WriteLine(gTmp.Name);
}
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With
